The Internet of Things and emerging security concerns

Author:
Publication Date: Monday, 7 Aug 2017

Despite organisations increasing their cybersecurity budgets, the variety and number of cyber-attacks have continued to grow, with the most recent example of ransomware attacks 'WannaCry' and 'Petya' rattling both private and government organisations in over 150 countries.

The advent of the Internet of Things (IoT), in less than a decade, has added to the complexity of cybersecurity due to the heterogeneous nature of IoT devices and a lack of unified standards.

Our networks are expected to grow to a staggering 50 billion[1] connected devices, mostly IoT, with $7.1 trillion[2] worth of spending by 2020. The addition of billions of devices into our existing networks has triggered a push for private and government organisations to develop, deploy and manage IoT. We are therefore seeing the increasing deployment of IoT towards industrial and smart city applications such as services, transport, healthcare, environmental protection, and emergency services.

In the research community there is a lot of attention about the interoperability and connectivity standards for IoT, as well as some focus on IoT security, privacy, availability and robustness, yet security remains an open problem.

The tremendous amount and value of data generated by IoT systems attracts a variety of attacks. As IoT security is still evolving there is the high likelihood of breaches along with residual risks associated with IoT, due to wireless communication being the primary media, and also the fact that IoT devices have inherent limitations in computational processing, power and storage. Complex security techniques are not viable.

However, users are encouraged to adopt IoT applications with a wrong sense of security. Many IoT devices are not manufactured with security in mind. For example, a router installed in a smart home will have some level of security in place but a climate control unit or a smart gaming console in a child's hand may not have been secured. In this example, if we hand over security settings to a child they may innocently reveal them to the wrong person, the security of the entire home may then be compromised.

The vulnerability comes from the weakest link in the network, most often people and weak processes. Even if all devices are secure, there is some possibility that secure practices will not be followed, such as setting easy to guess passwords, lack of controls or lack of awareness about security issues on apparently simple devices.

The internet was not invented to be a controlled system, yet it is a backbone for every device capable of connectivity, making it open to global attacks from both skilful individuals and organised groups. The benefits of a globally connected system are enormous, but it also comes with a dark and ugly side too. This provides anonymity to those with skills and capabilities and allows for the indefinite time to break/hack into our secure systems, whether for thrill, financial gain, industrial espionage, narcotics, child pornography, harassment, financial scams, spying, terrorism, leakage of classified information. We cannot imagine a crime these days where some sort of technology is not used. Globally connected systems such as the IoT has made it easy. In fact, connected systems have introduced even greater sophisticated white-collar crimes, such as financial frauds, information and identity theft, and infiltration of corporate data.

This realises the need for a holistic security approach, both at the individual and corporate level, starting at access control. Multiple layers of access, to reduce the exposure of data to an acceptable level, would improve security. At the individual level IoT security risks should be addressed at the same level as physical security. For example, if we ensure our doors and windows are locked, CCTV is turned on and intrusion detection alarm is activated, we need to ensure that a connected device in our child's hand has comparable security. Similarly at corporate level, senior executives need to weigh risks of IoT threats by answering questions such as: What are the IoT security risks to their organisation and customers? How effectively are those risks managed? How regularly are the risk management plans tested? How efficiently can we respond to a threat?